From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965765AbcJ1CCO (ORCPT <rfc822;w@1wt.eu>);
        Thu, 27 Oct 2016 22:02:14 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:49828 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S964894AbcJ1CCN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Oct 2016 22:02:13 -0400
Date: Fri, 28 Oct 2016 03:02:10 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Joe Korty <joe.korty@concurrent.com>
Cc: linux-kernel@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <alexander.levin@verizon.com>
Subject: [4.1 backport trouble] Re: BUGreport: fix minor infoleak in
 get_user_ex()
Message-ID: <20161028020210.GL19539@ZenIV.linux.org.uk>
References: <20161027193210.GA23006@zipoli.ccur.com>
 <20161028000355.GK19539@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20161028000355.GK19539@ZenIV.linux.org.uk>
User-Agent: Mutt/1.7.0 (2016-08-17)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 28, 2016 at 01:03:55AM +0100, Al Viro wrote:

> On Thu, Oct 27, 2016 at 03:32:10PM -0400, Joe Korty wrote:
[oops in 4.1.35, bisected to 319fe1151940]
> > The following test program can be used to trigger the problem:
> > 
> > /* gcc -m32 c.c -o c */
> > #define _GNU_SOURCE
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <unistd.h>
> > #include <errno.h>
> > #include <sys/syscall.h>
> > 
> > #define rt_sigqueueinfo 178
> > 
> > int main(int argc, char **argv) {
> >      int stat = syscall(rt_sigqueueinfo, 0, 0, 0, 0, 0, 0);
> >      printf("syscall(%d): stat: %d, errno: %d\n",
> >            rt_sigqueueinfo, stat, errno);
> >      return 0;
> > }
> > 
> > This is under 4.1.35 on x86_64.
>
> AFAICS, it steps on _ASM_EXTABLE_EX being more brittle in 4.1 - it pretty
> much has to have the handler on the next insn after the faulting one, or
> the resulting extable entry won't be recognized.  This
> "x86/mm: Expand the exception table logic to allow new handling options"
> in mainline is where that requirement has disappeared.  I think we
> ought to use the plain _ASM_EXTABLE and just call something that would
> set current_thread_info()->uaccess_err directly from the fixup code there.
> That, or backport the commit switching to less brittle extables.

... and frankly, backporting 548acf19234d would be my preference.  It's a bit
more intrusive than needed (_ASM_EXTABLE_FAULT is used only in memcpy_mcsafe(),
which is used only by pmem and it's the only reason for passing the trap
number to fixup_exception()), but AFAICS it's fairly safe.  Objections?